A business, financial and sustainability overview 11 Corporate risk management
126 Amadeus Global Report 2016 11. Corporate risk management In 2015, with the endorsement of the Board of Directors and the Executive Committee, Amadeus formally adopted the Three Lines of Defence Model a model for integrating, coordinating and aligning all support and assurance functions within the entity, ensuring the effective management of risks across the company. Since its adoption, the Three Lines of Defence Model has fostered effective risk management across the Amadeus Group. In 2016, we refined the Three Lines of Defence Model through the adoption of a Combined Assurance concept. 11 Corporate risk management Three lines of Defence and Combined Assurance
11. Corporate risk management 127 First Line of Defence: executive management, management and staff Amadeus commitment to integrity and transparency begins with its own staff. Amadeus employees adhere to the ethical standards set forth in the Amadeus Code of Ethics & Business Conduct and related policies. We do not see this code and our core policies purely as a rule book, but as a mutual agreement across the company to promote positive behaviours that will add value to our business and ensure the highest standards of integrity at all times. The areas covered in the Code are as follows: Commitment to the environment Avoiding conflicts of interest Protecting personal data and confidentiality Handling relations with third parties and the media in a sensitive manner Handling company property, equipment and installations with care We also respect and promote international human rights, and expect all our suppliers and business partners to uphold internationally recognised standards regarding working conditions and the dignified treatment of employees. Human rights form part of Amadeus risk analysis. The company evaluates the risks of infringing on the following rights: non-discrimination, collective bargaining, freedom of association, fair wages, no child labour or forced labour and adequate health and safety working conditions. Although such risks fall very low on our risk map, we have a series of mitigating and monitoring actions to manage them, both internally and with our suppliers and business partners. Our mergers and acquisitions procedures also include due diligence on human rights-related risks. Our Integration team ensures that the company s policies are effectively implemented into newly integrated companies. Furthermore, our Speak Up Policy encourages employees to report any breach of the Code of Ethics & Business Conduct and possible resulting human rights violations. The Amadeus core policies listed on the right are supported by processes that, as with any other processes at Amadeus, undergo regular internal and external quality reviews to ensure regulatory compliance and application of best practice. Amadeus policies Risk and compliance policies _Code _ of Ethics & Business Conduct _Speak _ Up Policy _Anti-Fraud _ Policy _Anti-Bribery _ Policy _Entertainment _ & Gifts Policies Corporate and commercial legal policies _Powers _ of Attorney _Banking _ Powers _Antitrust _ & Competition Law Compliance Manual _On-Site _ Investigation Policy _Data _ Privacy Manual _Security _ & Privacy Handbook _External _ Legal Counsel Policy Other core Group policies _Information _ Security Policy _Sales _ Manual _Corporate _ Purchasing Policy _Health _ & Safety Policy _Environmental _ Policy _Charitable _ Contributions Policy _Political _ Contributions & Lobbying Policy G4-2 G4-57 G4-58
128 G4-2 G4-14 Amadeus Global Report 2016 11. Corporate risk management Second Line of Defence: internal governance functions Control activities are embedded in all areas of the company. Major control activities are carried out from departments such as Risk & Compliance, Security, Privacy, Legal, Finance, Human Resources and others. Risk management and controls Risk & Compliance is responsible for centralising the continuous monitoring of major risk and compliance issues within Amadeus and also leads a transversal Combined Assurance programme involving the Risk & Compliance Office, the Group Privacy Unit and the Information Security Office. Through this Combined Assurance programme, we have expanded the coordinated management of oversight control activities and the sharing of results. Risk & Compliance develops the Corporate Risk Map and establishes control and monitoring procedures for each of the identified risks, in conjunction with the owner responsible for each risk. The risks ascertained from analysis as well as monitoring measures are reported on a regular basis to the Risk Steering Committee and the Audit Committee, as well as to the Executive Committee and the Board of Directors. We continually monitor the most significant risks that could affect Amadeus and the companies that make up the Group, as well as Amadeus own activities and objectives. Amadeus general policy regarding risk management and monitoring focuses on: Achieving its long-term objectives as per its established strategic plan Contributing the maximum level of guarantees to shareholders and defending their interests Protecting the company s earnings Protecting the company s image and reputation Contributing the maximum level of guarantees to customers and defending their interests Guaranteeing corporate stability and financial strength over time The ultimate aim of the Corporate Risk Map is to provide visibility on significant risks and facilitate effective risk management. Risk analysis is a fundamental element of the company s decision-making processes, both within the governing bodies and in the management of the business as a whole. The Corporate Risk Map also takes into account the global risks identified each year by the World Economic Forum, 1 such as economic, environmental, geopolitical, societal and technological risks. Amadeus is concerned about immediate risks and emerging risks. Newly developing or changing risks that are difficult to quantify and could have a major impact on society and the industry are considered in the exercise. The latest version of the Corporate Risk Map defines the most critical risks relating to Amadeus operations and objectives, among which the following are highlighted: technological risks, operational risks that could affect the efficiency of business processes and services, commercial risks that could affect customer satisfaction, reputational risks, security and compliance risks, the macro-economic and geopolitical environment, and trends in the travel and tourism industry. Some of these risks have evolved from the previous Corporate Risk Map while others have been newly identified. These highlighted risks are assigned to risk owners at the highest level of the company, who are given the duty to propose the risk response. Progress with mitigation and evolution of key risks is submitted to the Risk Steering Committee for review and consideration, together with proposed action plans, when required, to take any necessary measures or further actions. Due to its transversal and dynamic character, the process described above identifies new risks that affect the Group arising as a result of changes in the environment, or as a consequence of the revision of objectives and strategies. In the current business environment, which is characterised by increasing stakeholder demand for transparency, ethics and social responsibility, reputational risk management is becoming increasingly relevant. The Amadeus Reputational Risk Map is fully integrated with the overall Corporate Risk Map of the company. Therefore, assessing the reputational impact of a particular risk is embedded into our methodology. In addition to managing risks, Amadeus is very focused on ensuring compliance with emerging initiatives such as the General Data Protection Regulation (GDPR) of the EU as well as existing control standards such as PCI-DSS (credit cards), SSAE 16 (computer controls) and ISO 27001 (security). 1 World Economic Forum (2016). Global Risks Report 2016, 11th Edition.
11. Corporate risk management 129 Third Line of Defence: Group Internal Audit G4-SO3 Also, through the training and awareness plan under coordination of the Risk & Compliance unit, we try to ensure that all employees understand and apply best practices on ethical as well as security and privacy principles. The Risk & Compliance Office chairs the following committees: Ethics Committee The Ethics Committee provides guidance on ethical behaviour and compliance issues. This committee also addresses any concerns that employees may have and simultaneously assists in the implementation of the Code of Ethics & Business Conduct throughout the Amadeus Group. We attach great importance to promoting integrity, transparency and ethical conduct in all our operations, and we are committed to applying a zero-tolerance approach regarding prohibited practices, both in our internal affairs and external operations. Risk Steering Committee The Risk Steering Committee is a decision-making body empowered by the Executive Committee to provide oversight and guidance on risk management activities and issues across the Group, including risk assessment and prioritisation, risk mitigation strategies and crisis responses. Both the Ethics Committee and the Risk Steering Committee meet on a regular basis. The Group Internal Audit function provides independent and objective assurance and consulting services designed to improve Amadeus operations. It helps the company accomplish its goals by using a systematic approach to evaluate the effectiveness of risk management, control and governance processes. Group Internal Audit encompasses all the Amadeus companies, businesses and processes. Every year, Group Internal Audit performs a thorough background and risk assessment exercise in order to identify audit priorities. This background and risk assessment exercise considers, namely but not exclusively, elements such as strategic objectives and projects, the Corporate Risk Map, interviews with senior management and major control functions, business magnitudes and audit cycles. The output, together with the priorities agreed upon by top management and the Audit Committee, leads to the formalisation and approval, by the Audit Committee, of a yearly Internal Audit plan. The reviews performed by Group Internal Audit are designed to evaluate the effectiveness of the internal control framework across Amadeus companies, businesses and processes, including the effectiveness of internal controls against fraud and corruption. The legal entities included in Group Internal Audit reviews during 2016 represented more than 50% of the total Amadeus workforce. The coordination streams in place between Group Internal Audit and the main control, business and technology units ensure a continuous and optimum complement to Internal Audit s independent and objective assurance activities. Amadeus employee at the Bel Air building in Nice.